The Service Catalog product is called 'shib-role' and is deployed to all AWS accounts to simplify the shibboleth IAM role creation process.
- Launch the product from the Service Catalog Console within your AWS Account
- Enter a Provisioned Product Name; this can be something that makes sense to you (ie. shib-developers)
- Choose a product version
- Enter the product parameters
Parameter Input Limitations
- ADGroupName = An AD group to be nested for granting access to this shibboleth role. This group should contain the member(s) who will need access to AWS.
- What can I enter in this field?
- Must not be blank and cannot contain the following characters # , + " \ < > ;
- What if I do not have an Active Directory group to provide?
- Please review the following for creating Active Directory groups - https://it.cornell.edu/cornellad-cuvpn-group/create-group-cornellad
- What can I enter in this field?
- ProductContact = This should be the netID of the individual filling out this form and who the Cloud Team will contact once manual actions are completed on our end.
- What can I enter in this field?
- Must not be blank and be standard netID formatting
- What can I enter in this field?
- RoleName = The name of the IAM role, excluding the 'shib-' prefix, ie. 'developers'
- What can I enter in this field?
- Must not be blank and contain only alphanumeric characters and underscores '_'
- What can I enter in this field?
- ADGroupName = An AD group to be nested for granting access to this shibboleth role. This group should contain the member(s) who will need access to AWS.
- Select 'Launch Product'
- A notification and TDX ticket is sent to the CIT Cloud Team Support queue for the remaining steps.
- Create / Attach an IAM Policy to this newly created role.